HJ - 017 hijacked by Ukrainian nameserver (inhoster) (RESOLVED)

  1. 11-01-2006  #1
    janeyzee
    janeyzee is offline Newbie

    HJ - 017 hijacked by Ukrainian nameserver (inhoster) (RESOLVED)

    Hi there,

    Can anyone please help me with this problem? I recently got hit with an unwanted infection from UnSpyPc, which I managed to remove. However, since that infection when connecting to the Internet, through starting my browser or instant messager, Zone Alarm keeps asking me to allow a connection to a Ukrainian IP address (inhoster, Inhoster hosting company, Poltavskij Shliax 24, Kharkiv, 61000, Ukrain). If I deny the access request I can't connect. This problem has been bugging me for a couple of weeks now.

    I've checked elsewhere on the forum and have followed all the instructions for removal of UnSpyPC related malware (which seems to be linked with Inhoster quite often), but I cannot stop this 017 Nameserver hijack. I've used Blacklight to remove the rootkit files, AVG and Ewidio to remove viral files, and Fixwareout to remove the 017 hijack. Fixwareout does remove the evil Ukraine 017's from Hijack this - for a short while. If I scan immediately after using Fixwareout, they are gone, and so is the Zone Alarm connection request. If however I run a HJ scan 20 minutes later, the Ukranian 017 will be back, but a virus scan will prove negative.

    Can someone please help me to finally rid my machine of this annoyance? Many thanks in advance.

    Here's the most recent HJ log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:10:40, on 11/01/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\regedit.exe
    C:\Cleaner Progs\HJ.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DA7A6407-C48F-4653-939A-3D8137D7468D}: NameServer = 85.255.116.173 85.255.112.166
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  3. 11-01-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    See if the following steps make a difference:
    • Please go to Start -> Control Panel, and choose Network Connections.
    • Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
    • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
    • Click OK twice, and restart your computer.
  4. 11-01-2006  #3
    janeyzee
    janeyzee is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Thanks for that! That seems to have sorted the problem. Thankyou.
+ Reply to Thread
« hijackthislog as requested. thank you (RESOLVED) | Slow loading(RESOLVED) »